Your marketing systems are a ransomware target, the 72-hour reporting obligation
The Cyber Security Act 2024 requires ransomware payment reporting within 72 hours. Marketing databases, CDPs, and CRMs are targets. Marketing teams need to be in the incident response plan.
The Cyber Security Act 2024 introduced mandatory ransomware and cyber extortion payment reporting. From 30 May 2025, all businesses with annual turnover of AUD 3 million or more must report ransomware or cyber extortion payments within 72 hours. Enforcement commenced 1 January 2026.
This obligation is separate from and additional to existing obligations under the Notifiable Data Breaches scheme.
Why this matters for marketing teams
Ransomware attacks increasingly target the systems where customer data lives: CDPs, CRMs, marketing automation platforms, and analytics infrastructure. These systems hold personal information at scale, often with less rigorous security governance than core business systems.
When a ransomware event affects marketing systems, it triggers a 72-hour reporting clock. Marketing teams have to be part of incident response plans rather than peripheral to them. The question worth asking inside your organisation is whether the existing incident response plan accounts for marketing data, or whether marketing systems are an unowned attack surface in everyone else’s plan.
What to do
Confirm marketing systems are in the incident response plan. CDPs, CRMs, analytics platforms, email marketing systems. If they are not named, they are not covered.
Make sure the marketing team knows the reporting obligation and the escalation path. A 72-hour clock does not allow for confusion about who reports what to whom. This is a tabletop exercise worth running.
Review the security posture of third-party marketing technology. SaaS vendors, data processors, and analytics platforms all hold customer data. The obligation to report applies to payments made on your behalf, which means a vendor incident can trigger your reporting obligation.
The penalty framework for this specific obligation is not yet fully defined, and the broader direction is clear. Accountability for data security is expanding (and IMO will accelerate as more sectors come into scope through subsequent legislation).